CVE-2024-7954
CRITICAL EPSS 99.8%
Published Aug 23, 20241y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published Aug 23, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
99.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-1286
CWE-95
References 3
- blog.spip.net https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html
- thinkloveshare.com https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/
- vulncheck.com https://vulncheck.com/advisories/spip-porte-plume
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.